The Russian invasion of Ukraine has coincided ‘uncoincidentally’ with the jamming of airplane navigation systems & hacks on the SATCOM networks that power critical infrastructure.
In a warning to aviation authorities & air operators last Thur., the European Union Aviation Safety Agency (EASA) advised of satellite jamming & spoofing attacks across a large part of E. Europe that could affect air navigation systems.
The warning came with a new alert from the FBI & the US Cybersecurity Infrastructure & Security Agency (CISA) that hackers could be targeting satellite communications networks generally.
Jamming
The navigation-jamming attacks affecting airplanes began Feb. 24, the 1st day of the Russian invasion of Ukraine, EASA stated & they have continued proliferating.
As yet, the affected areas include the Black Sea airspace, Eastern Finland, the Kaliningrad region & other Baltic areas, & the Eastern Mediterranean area near Cyprus, Turkey, Lebanon, Syria & Israel, as well as Northern Iraq.
Possible Spoofing
“The effects of Global Navigation Satellite Systems (GNSS) jamming &/or possible spoofing were observed by aircraft in various phases of their flights, in certain cases leading to re-routing or even to change the destination due to the inability to perform a safe landing procedure,” EASA warned (PDF). “Under the present conditions, it is not possible to predict GNSS outages & their effects.”
Losing a GNSS signal could result in many bad outcomes, including pilots “flying blind,” without the use of ‘waypoint’ navigation to discover where they are.
Contested Airspace
Outages could also affect an airplane’s instrumentation accurately tracking its position, which could lead to a plane entering contested airspace; the inability to properly judge proximity to the ground (which could trigger ‘pull-up’ commands, states the alert); or the failure of systems that address problems e.g. wind shear.
“The magnitude of the issues generated by such outage would depend upon the extent of the area concerned, on the duration & on the phase of flight of the affected aircraft,” EASA warned.
The agency asked air operators to make sure that ‘fall-back’ conventional navigation infrastructure is fully operational onboard the aircraft, & to ensure reliable surveillance coverage that is resilient to GNSS interference, such as ground-based navigational aids (i.e., Distance Measuring Equipment or DME, & Very High Frequency omnidirectional range or VOR).
Conventional Navigation Aids
“Verify the aircraft position by means of conventional navigation aids when flights are operated in proximity of the affected areas; check that the navigation aids critical to the operation for the intended route & approach are available; & remain prepared to revert to a conventional arrival procedure where appropriate & inform air traffic controllers in such a case,” EASA recommended.
“Ensure, in the flight planning & execution phase, the availability of alternative conventional arrival & approach procedures (i.e. an airfield in the affected area with only GNSS approach procedure should not be considered as destination or alternate).”
Satellite Network Hacking
The concerns over the hacking of satellite systems also began Feb. 24 when Ukrainian officials reported that hackers had apparently compromised 1 of the nation’s satellite systems. According to Reuters, the attack made communication with the Viasat KA-SAT satellite impossible, which resulted in internet outages across Europe, with 10s of 1,000s of people cut off.
The cyber-attackers took advantage of a misconfigured management interface for the satellite network, Viasat explained.
The National Security Agency (NSA) is looking into if Russian state-sponsored players conducted the attack, outlines the report.
SATCOM Networks
Last week, CISA warned that it is “aware of possible threats to US & international satellite communication (SATCOM) networks. Successful incursions into SATCOM networks could create risk in SATCOM network providers’ customer environments.”
The agency advised satellite operators to start monitoring at entry & exit points for anomalous traffic, incl. the use of various remote access tools (Telnet, FTP, SSH etc.); connections out to “unexpected” network segments; unauthorised use of local or backup accounts; unexpected traffic to terminals or closed-group SATCOM networks; & ‘brute-force’ login attempts.
Multifactor Authentication
Satellite customers should implement multifactor authentication (MFA) on their accounts, CISA warned, & should prop-up ‘least-privilege’ approaches for any sensitive areas served by satellite links.
Andreas Galauner, Lead Security Researcher at Rapid7, noted that in the US, critical infrastructure is likely the target for such attacks.
“Almost no private individual uses SATCOM, as it is costly & the latency is too high & slow,” he outlined. “This leaves industrial & critical infrastructures, which makes SATCOM an appealing target.”
James McQuiggan, Security Awareness Advocate at KnowBe4, made a similar assessment.
Critical Element
“Communication is a critical element needed in life these days, whether between families or between govts.,” he explained. “If the ability to communicate is lost, it becomes challenging to strategize, co-ordinate or plan. When cyber-criminals are targeting this element of critical infrastructure, cyber-resiliency is essential to remain in contact.
Organisations working with SATCOM products or services need to ensure protections to secure access to the devices with multi-factor authentication. Ensure all systems are up to date with software & firmware updates, increase monitoring of traffic & logs, & review incident response plans to prepare for an outage.”
Be Alert
ISPs of all types should be alert, Galauner added.
“Even though this particular risk relates to satellite communication networks, this has happened before in ‘normal’ ISPs,” he suggested. “In those instances, what got ‘pwned’ is the CPE: modems & routers that were not configured properly by the ISP.
This could happen on DSL & cable lines as much as it can happen here. However, a satellite network, possibly spanning huge geographical areas, might allow attackers to perform more widespread attacks without having to be in the physical vicinity.”
